need help with ISA 2006

testas

aku nak tanya sesapa yg pernah guna ISA server 2006. aku dah cuba 2 3 hari daa.... tp tak jalan2.. pening aku..
aku ada CISCO firewall kat opis ni.. dan cadang nak install ISA server..
CISCO put at the front of the internet cloud. dan aku nak letak ISA second firewall la..

kiranya kalau user nak access internet.. akan melalui ISA server dulu ... lepas tu CISCO baru laa internet....

ni detail pasal network aku.. (bukan IP sebenar)

internal ip (ip user) => 170.100.1.1 - 170.100.1.100 ... gateway user 170.100.1.200
ip internal ISA=> 170.100.1.200
ip external ISA => 170.100.1.201
IP internal CISCO => 170.100.1.202
IP external CISCO => global ip (fix ip)

aku bole access internat dari ISA server... tp semua access dari user kena block kat ISA.
aku betul2 tak paham.... apahal laa...

aRAyZIe

kene bayar kot...hehe

sayang_mulut

aku ingat ade akta ISA baru lepas amend..

oobi

oobi pernah dengar aje pasal ISA server ni. tak pernah baca sangat, dan guna. i assume, it's similar to firewall? if that's the case, you need to add your user segment into ISA server - create a route/policy to allow 170.100.1.0 segment to get to the internet.

testas

ok i dah berjaya set up ISA server and now my firewall ada 2.. CISCO and ISA.. user must go thru this 2 firewall b4 reach to internet....

but the setting sikit pelik laaa...
my ISA ada 2 network card.. (2 IP , internal IP).. both of the NIC connect to office switch which all user pc connect to that switch... detail ip dibawah (bukan ip sebenar)

1st NIC
IP= 192.168.1.100
mask = 255.255.255.0
gateway = none

2nd NIC
IP = 192.168.1.101
mask- 255.255.255.0
gateway = 192.168.1.102 (my cisco internal ip)

kalau ikutkan my 2nd NIC must set LAN cable DIRECT to my CISCO box (tanpa melalui switch)..cam diagram bawah ni



user >>>>switch>>>>>ISA>>>>>>CISCO>>>>>> router>>>> internet cloud



tp tak jalan, smp kat ISA all request will drop..i dont know why.

what i do (currently) is below...


user >>>>>>switch>>>>ISA>>>switch>>>>CISCO>>>>router>>>>internet cloud



if u look betul2. user can bypass ISA server by change their gateway to CISCO , because there was a physical connection between user and CISCO.
setting sekarang, nampak cam user tak melalui ISA, but bila i shutdown ISA. all user cannot surf internet.. its strange rite..
any idea oobi?

oobi

yes, i can see that. i assume you've tested that machines from user segment can bypass ISA server (by setting the gateway to cisco internal IP address), even when ISA is offline - only when they use static IP not when they obtain IP address from dhcp server (provided you change the client gateway on dhcp server to point to your internal IP of your ISA server).

anyway, one way to make sure users don't bypass ISA server is by blocking user segment on cisco. what you can do is, set a policy on cisco to block segment 192.168.1.0. then set another policy to allow only IP 192.168.1.101 (your external ISA IP) to pass through cisco.

let us know how it goes.

testas

okk.. pagi ni try run.. everything is fine masa pukul 8.30 till 9.00 pagi.. masuk keja kul 8.30.... then kul 9.00 cam tu. internet dah start slow.. looks like cam bottle neck kat ISA tu.. so i shutdown and revert to original config. kalau tak semua complaint.... . need to config balik ISA ni..
i nak tanya oobi.. kat ISA tu i set route mode, instead of NAT mode. yg i paham kalau NAT.. ISA akan guna external IP, and hide internal IP. and route plak nampak cam sama aje.. sebab when i monitor at CISCO. i keep recieve IP ISA external.. both NAT and route mode. i ingat kalau route mode.. ISA akan still mantain IP user.. cam tu senang skit i nak block user IP kat CISCo. klau cam ni .. i tak leh block kat CISCO.. hanya 1 IP saja yg masuk kat CISCO.. (ISA external IP)..

testas

okk.. pagi ni try run.. everything is fine masa pukul 8.30 till 9.00 pagi.. masuk keja kul 8.30.... then kul 9.00 cam tu. internet dah start slow.. looks like cam bottle neck kat ISA tu.. so i shutdown and revert to original config. kalau tak semua complaint.... . need to config balik ISA ni..
i nak tanya oobi.. kat ISA tu i set route mode, instead of NAT mode. yg i paham kalau NAT.. ISA akan guna external IP, and hide internal IP. and route plak nampak cam sama aje.. sebab when i monitor at CISCO. i keep recieve IP ISA external.. both NAT and route mode. i ingat kalau route mode.. ISA akan still mantain IP user.. cam tu senang skit i nak block user IP kat CISCo. klau cam ni .. i tak leh block kat CISCO.. hanya 1 IP saja yg masuk kat CISCO.. (ISA external IP)..

testas

okk.. pagi ni try run.. everything is fine masa pukul 8.30 till 9.00 pagi.. masuk keja kul 8.30.... then kul 9.00 cam tu. internet dah start slow.. looks like cam bottle neck kat ISA tu.. so i shutdown and revert to original config. kalau tak semua complaint.... . need to config balik ISA ni..
i nak tanya oobi.. kat ISA tu i set route mode, instead of NAT mode. yg i paham kalau NAT.. ISA akan guna external IP, and hide internal IP. and route plak nampak cam sama aje.. sebab when i monitor at CISCO. i keep recieve IP ISA external.. both NAT and route mode. i ingat kalau route mode.. ISA akan still mantain IP user.. cam tu senang skit i nak block user IP kat CISCo. klau cam ni .. i tak leh block kat CISCO.. hanya 1 IP saja yg masuk kat CISCO.. (ISA external IP)..

testas

okk.. pagi ni try run.. everything is fine masa pukul 8.30 till 9.00 pagi.. masuk keja kul 8.30.... then kul 9.00 cam tu. internet dah start slow.. looks like cam bottle neck kat ISA tu.. so i shutdown and revert to original config. kalau tak semua complaint.... . need to config balik ISA ni..
i nak tanya oobi.. kat ISA tu i set route mode, instead of NAT mode. yg i paham kalau NAT.. ISA akan guna external IP, and hide internal IP. and route plak nampak cam sama aje.. sebab when i monitor at CISCO. i keep recieve IP ISA external.. both NAT and route mode. i ingat kalau route mode.. ISA akan still mantain IP user.. cam tu senang skit i nak block user IP kat CISCo. klau cam ni .. i tak leh block kat CISCO.. hanya 1 IP saja yg masuk kat CISCO.. (ISA external IP)..

testas

okk.. pagi ni try run.. everything is fine masa pukul 8.30 till 9.00 pagi.. masuk keja kul 8.30.... then kul 9.00 cam tu. internet dah start slow.. looks like cam bottle neck kat ISA tu.. so i shutdown and revert to original config. kalau tak semua complaint.... . need to config balik ISA ni..
i nak tanya oobi.. kat ISA tu i set route mode, instead of NAT mode. yg i paham kalau NAT.. ISA akan guna external IP, and hide internal IP. and route plak nampak cam sama aje.. sebab when i monitor at CISCO. i keep recieve IP ISA external.. both NAT and route mode. i ingat kalau route mode.. ISA akan still mantain IP user.. cam tu senang skit i nak block user IP kat CISCo. klau cam ni .. i tak leh block kat CISCO.. hanya 1 IP saja yg masuk kat CISCO.. (ISA external IP)..

testas

bukan salah aku.. aku submit sekali aje...

oobi

nanti oobi explain. oobi nak tidur dulu, esok kerja. but, kalau you dapat solve it before then, update kat sini so that kita semua boleh belajar.

testas

ok.. pukul 6.30 petang.. settings yg baru ni deploy lepas lunch tadi. bertahan smp petang ni. ISA tak hang. and everything is good. i install ISA 2006 evaluation with GFI webmonitor. GFi webmonitor is interesting software. i can monitor from a-z where user surf internet. block certain website. p2p application pun leh block. IM pun bole.
ada summay what user dload. mp3 ke.. video ke. and size of data every user surf internet setiap hari.. so leh tau sapa yg selalu main internet. ini semua function GFi webmonitor.
ISA tak abis explorer. nanti i update lagi..
Just i tak dapat mengunakan CISCO sepenuhnya.. CISCo just jadi NAT aje.. tu aje..

testas

i found something yg interesting pasal IM (YM, MSN).. even pc user gateway point to ISA server. tp IM ni bole search other gateway untuk bypass ISA. default i block IM di ISA. and now CISCO only accpet external IP from ISA.  . sekarang user tak bole main YM or MSN messenger. tapi bila i open IP at CISCO.. user cannot surf internet or email (outlook, pop). tp IM lepas..... just FYI forumers.

oobi

oobi sebenarnya masih kurang faham pasal NAT ni, sebab tak pernah deployed (especially sekarang ni sebab dah tak touch these things directly). setahu oobi, NAT ni banyak gunanya and biasanya digunakan kat router. contohnya, you want to hide the real IP of your server (10.10.10.10) from public, then you NAT'ed it (170.16.48.10)) on router - public will see only NAT IP address of the server, instead of its real IP.

back to your scenario, your cisco will only see one IP address (your external ISA) because that's the only source of request. when your users send requests, it will go through your ISA and then will come out as one request to cisco - only your ISA server will see IP addresses of your users. if you want cisco to see IP address of your users, then you don't need ISA. so, it doesn't matter which method you use, request to cisco will only come from one IP address, you external ISA. so, in your case, i don't see any different between using NAT and route mode because both will end up sending the requests to ISA external interface before being forwarded to cisco - this is purely based on your description. the only difference yang oobi boleh fikirkan ialah, by using NAT, you boleh block request by IP, while in route mode you can only do it by segment. i could be wrong.

testas

OK. pagi tadi ada problem semua website https tak bole masuk. even i dah allow https port kat ISA. so check punye check.. i decide to change route mode to NAT mode.. then baru semua https bole masuk.. tak tau apa yg NAT die buat. update u later.. looks like ok ISA arini.. performance pun ok... dapat tangkap user yg dload mp3 and youtube online.. see ya